8/17/2011

VoIP Eavesdropping: UCSniff (II)

To start this second article I'll dig a little deeper in VoIP Eavesdropping techniques. There are different classifications over the net but I´m going to use "Hacking Exposed VoIP" book (I strongly recommend it) one for being , in my opinion, the most complete. According to it we define four categories for these attacks:

TFTP Configuration File Sniffing
IP phones often obtain their configuration parameters from a TFTP server, you can get an idea imagining something similar to DHCP Protocol, but in application layer of course. In this case attacker could obtain some passwords sniffing or downloading them directly from ftp server, moreover he could even reconfigure phone. In fact I have a fun idea in mind for another POC but we are waiting for someone to lend us a proper phone :).

Number Harvesting
Attacker monitors all calls in order to obtain legitimate numbers and extensions of a system which will be used combined with other attacks.

Call Pattern Tracking
The attack target is the list with all the calls made by a member of an organization in order to detect suspicious activities among the members.

Conversation Eavesdropping and Analysis
This is the most impressive attack because the bad guy try to record both sides of conversations.

That being said, now I´m going to show UCSniff automates the attacks studying results obtained from last post. Next picture shows files generated after the sniffing.

Figure: Generated files

TFTP Configuration File Sniffing
As I said before I do not have a proper phone for this test, but UCSniff supports it, even TFTP Modify Attack (cursiva) as you can see in the picture.

Figure: TFTP Modify Attack

Number Harvesting
During the sniffing we could see extensions involved in calls on the Output and Status(cursiva) panel. Now we can consult them in call.log, calldetail.log and sip.log , which also stores it with much more detailed log including all SIP messages (REGISTER, INVITE, etc.)

Figure: Detailed call list

Figure: INVITE from sip.log

Call Pattern Tracking
Files commented in Number Harvesting cover this point too.

Conversation Eavesdropping and Analysis
In this example 81-Calling-81-18:48:12-3-reverse.wav stores one side conversation for the reasons commented in previous post, but in a real environment we should get something like this:

Figure: Generated .wavs in real example

Names are really intuitive so, at this point, I think you can understand by yourself all the helpfull information included in other generated files, you can ask me any doubt in a comment or a mail :). In the next post I hope talk about countermesurements porposed for protect a infrastruture against this kind of Eavesdropping attack.